Data interoperability in the healthcare industry can help achieve successful treatment outcomes, improve healthcare quality, and enhance pharmaceutical efficiency. However, it also carries significant risks. As medical information networks become increasingly pervasive, various criminal activities have begun to proliferate alarmingly.
Especially in today’s digital era, the healthcare industry lags far behind other sectors in information protection, relying on outdated clinical technologies, having inadequate security for interconnected medical devices, and lacking comprehensive information security management processes. Some healthcare institutions may not yet recognize the sophistication of cyberattacks or the network-based methods hackers use to infiltrate and compromise patients’ confidential data.
Nowadays, the nature, depth, and consequences of cyberattacks on healthcare networks have changed. If medical institutions fail to keep pace with the times by upgrading their information security standards, they will inevitably suffer severe losses—not only financially but also potentially endangering patients' lives.
According to a cybersecurity survey conducted by KPMG in 2015 among 223 healthcare industry executives,81% of respondents reported that their organizations had been compromised by at least one type of malware in the past two years., such as botnets or other cyberattacks. In fact,Only half of the respondents believe they are sufficiently prepared to prevent cyberattacks.So, in this protracted battle to safeguard medical information against hackers, what are the most pressing concerns, and what viable solutions are available? VCBeat has excerpted KPMG’s survey report to provide an in-depth look.
The KPMG Healthcare Cybersecurity Report points out that healthcare organizations are facing the following security threats:
Digitization of Patient Recordsand automation of clinical systems.
Using outdated electronic medical records (EMR) and clinical applications that fail to meet today’s cybersecurity standards; and the software vendor shifted the responsibility for this issue onto healthcare providers.
both internally (laptops, mobile devices, thumb drives) and externally (third parties, cloud services)Easily access protected electronic health information (ePHI).
Heterogeneity of Network Systems and Applications.
The Threat Landscape Is Constantly Evolving, today's cyberattacks are more sophisticated and well-funded, with the associated data they acquire commanding high value on the black market.
For healthcare institutions and insurance companies, the primary cybersecurity concern is external attacks. A KPMG survey indicates that,External Attackers and Third Partiesare the most vulnerable weak points of healthcare institutions, while the greatest threat isMalware and HIPAA Violations。(See the table below for details)
Surveys indicate that as online information becomes increasingly abundant, threats are multiplying; however, the intent or expenditure dedicated to safeguarding information security has not been adjusted accordingly.
Due to differing priority classifications, insurers and healthcare institutions have distinct concerns when it comes to security vulnerabilities. For healthcare institutions, issues such as regulatory enforcement or litigation can further strain already slim profit margins. Most healthcare organizations find themselves in a difficult position regarding investment decisions; if a hospital has only $1 million at its disposal, it is likely to prioritize spending on patient care and life-saving treatments over data protection.
Insurance companies are often large, publicly listed enterprises operating across multiple jurisdictions. They are primarily concerned with negative reputational impacts that could lead to financial losses for shareholders or hinder growth plans.(See the table below for details)
■ Healthcare institutions are still unable to effectively respond to cybersecurity threats
Healthcare institutions are not as frequent targets of hackers as sectors such as financial services. Consequently, healthcare management has not made the same efforts as other departments with extensive experience in combating cyberattacks to trace the sources of cyber threats. A KPMG survey shows thatOver the past year, only 13% of respondents reported conducting daily monitoring of cyber vulnerabilities; 38% performed monitoring between 50 and 350 times, while 44% did so only 1 to 50 times.
This indicates that most healthcare organizations are unable to effectively track, report, and manage cyber threats, lacking mature incident and vulnerability management processes, with daily cyberattacks often going unaddressed. A KPMG client saw a 1,000% increase in reported cyber incidents and vulnerabilities after implementing an effective Security Operations Center (SOC), likely because the organization had previously been completely unaware of ongoing cyberattacks. In fact, 25% of survey respondents stated that, based on their organization’s existing protection systems, they either lacked or were uncertain about their ability to detect compromises in real time.
■ The key to defending against cyberattacks is being prepared
Immediate management and response are highly nuanced, encompassing the investigation, tracking, and eradication of cyber threats, as well as communication and reporting to the public and regulatory authorities. However, some healthcare institutions report vulnerabilities prematurely—often before determining the source of the threat, identifying the attacker, or assessing which parts of the system have been compromised. Consequently, such actions often prove counterproductive, exacerbating their own losses.
KPMG’s survey shows that over the past year, management teams across various regions(85% of surveyed medical institutions and 89% of surveyed insurance companies)While cybersecurity has been widely discussed, many healthcare institutions have yet to take the necessary measures to prepare for cyber threats.
In terms of human capital, 19% of healthcare organizations have not designated a senior executive with full responsibility for information technology security, compared to 8% of insurance companies; 25% of healthcare organizations have not established a security operations center (SOC) to identify and assess threats, compared to 20% of insurance companies. In future cybersecurity incident response efforts, priority should be given to strengthening these two areas.
■ Distribution of Cybersecurity Investments
Although most surveyed healthcare institutions have increased their cybersecurity spending and ramped up investments in this area over the past year, the funds allocated have failed to deliver adequate security across many domains. This may be because healthcare organizations have underestimated the surge in cyber threats, resulting in relatively insufficient investment levels.
The disparity between the level and capability of cybersecurity investment is a result of the mismatch between purchasing power and inherent capabilities. If cybersecurity investment is not part of a coordinated strategy, such spending often leads to greater waste.
■ Conclusion
In summary, cybersecurity in the healthcare sector requires a novel approach to advance, as detailed below:
Through strategic design, integrate cybersecurity technologies with network architecture in the early stages.As many enterprises have achieved interconnectivity, their inherent control capabilities have correspondingly diminished, necessitating the redesign and development of security implementation plans. Cybersecurity investment should become an integral part of a coordinated digitalization strategy.
A meticulously prepared and coordinated cybersecurity team and information security operations center.Appoint a senior executive to take full responsibility for information technology security and enhance real-time monitoring capabilities through a Security Operations Center (SOC). Other areas to be covered include vulnerability management and inter-departmental communication.
Enhance cybersecurity awareness and capabilities at all levels.Cybersecurity is both an operational risk and a technical risk. Therefore, cybersecurity professionals must be proficient in both areas. While senior management generally only needs to be aware of the existence of these issues, it is also crucial for the board of directors to include members with relevant expertise who can assist in oversight and management.
Implement cybersecurity strategies with a broad perspective.By collaborating with various business partners, healthcare organizations have effectively extended their value chains. While third-party vendors increase cybersecurity risks, the key lies in understanding the inherent risks associated with the concurrent use of multiple third-party vendors and identifying those vulnerabilities that must be remediated.
Compiled by Chen Xin
Editor: Mo Renying